Days after the General Data Protection Regulation has entered into force, data protection and social networks are in the news again: Last Tuesday, the ECJ has decided that the administrator of a Facebook page is jointly responsible, along with Facebook itself, for processing personal data of Facebook users and persons visiting the page hosted on Facebook via web tracking.

Is Germany facing a tidal shift in police powers? Does the border between the prosecution of criminal offences and the prevention of looming dangers, which has so far been regarded as self-evident and constitutionally necessary, fall? Will people who are suspected of maybe committing crimes in the future only on the basis of statistical data or non-individualized investigative approaches be preventively restricted in their fundamental rights and even imprisoned in the long term? Is Germany on the way to comprehensive predictive policing, for which considerable risks of discrimination will be accepted? These questions arise from the critics of the draft act on police tasks, which the Bavarian state government intends to pass this week. Beside drones and online seizure one of the crucial investigative issues is the so called “DNA phenotyping”.

A little over a month ago, the Polish parliament passed a law on organizational issues related to the Conference of Parties (COP24) of the UN Framework Convention on Climate Change (UNFCCC), which will meet next in December in Katowice, Poland. While the law has not received much international media attention, it has caused quite a stir amongst environmental non-governmental organizations and human rights activists. It prohibits participation in any spontaneous assembly in Katowice during the entire COP24 meeting; and authorizes the Polish government to collect participants’ personal data for reasons of public safety.

On 26 July the EU Court of Justice (CJEU) issued Opinion 1/15, which is its most significant ruling on the international dimensions of data protection law since its 2015 judgment in the Schrems case. In Opinion 1/15, the Grand Chamber of the Court found that the draft agreement between the EU and Canada for the transfer of passenger name record (PNR) data may not be concluded in its current form, since several of its provisions are incompatible with EU fundamental rights law. As the Court’s first ruling on the compatibility of a draft international agreement with the EU Charter of Fundamental Rights, the judgment has important implications for many areas of EU law.

Two months ago, the European Parliament and the Council have enacted the European General Data Protection Regulation as the result of a 4 years running legislative procedure. For a long time, it was uncertain whether the regulation could be passed at all: Not only has there been considerable opposition by EU Member States, but there have also been about 4.000 amendments by Parliament, accompanied by an enormous engagement of lobby groups.

Just like Star Wars, the "Solange" saga about German constitutional order’s approach to fundamental rights protection in the context of European integration appeared as a story told and settled. But now there are rumours that in Germany Solange Episode III is in the making, with a release date around 2016. The ECJ’s Schrems decision will bring some turmoil to the Solange Episode III production in Germany.

In Schrems the CJEU has declared the Safe-Harbor-Decision of the European Commission invalid whilst strengthening the EU fundamental rights. The Court has done so with astonishing clarity. Although the matter is about Facebook Ireland’s transfer of data to servers of Facebook, Inc. in the U.S., it, ironically, will not be Facebook but companies of the European “old economy” that will have to face severe consequences in the aftermath of this landmark judgement. In many cases of every day data processing in the business world, the consent of data subjects will be impossible to obtain. It is at the same time nearly impossible to prevent data to be transferred outside the EU. Hence, a vast number of data processing operations which were lawful before Schrems are now illegal.

On Tuesday, the Grand Chamber of the Court of Justice of the European Union declared the Commission’s US Safe Harbour Decision invalid. The Court’s ruling in Case C-362/14 of the Austrian Internet activist Maximillian Schrems v the Irish Data Protection Commissioner is a milestone in the protection of European fundamental rights, but it also preserves space for different national supervisory standards and national discretion on whether data may actually be transferred. Is the ruling opening the way for a patchwork of national data protection? How does this ruling influence the TTIP negotiations?

What is remarkable in the CJEU’s Schrems decision is that a) the Court actually identified the intrusion in question as falling under the notion of the essence of privacy – something the European Court of Human Rights has never done under the privacy provision of ECHR Article 8, and b) the identification of an intrusion as compromising the essence of privacy meant that there was no need for a proportionality assessment under Article 52 (1.2) of the Charter. For these reasons, the Max Schrems judgment is a pathbreaking development, a major contribution to the understanding of the structure and legal effect of fundamental rights under the Charter.

Post navigation

Verfassungsblog is a journalistic and academic forum of debate on topical events and developments in constitutional law and politics in Germany, the emerging common European constitutional space and beyond.